Vulnerabilites related to sitecore - managed_cloud
Vulnerability from fkie_nvd
Published
2023-06-06 19:15
Modified
2025-01-08 17:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.assetnote.io/2023/05/10/sitecore-round-two/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.assetnote.io/2023/05/10/sitecore-round-two/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sitecore | experience_commerce | * | |
| sitecore | experience_manager | * | |
| sitecore | experience_platform | * | |
| sitecore | managed_cloud | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5347D215-14FC-47E1-9B79-788DF656158B",
"versionEndIncluding": "10.3",
"versionStartIncluding": "9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6292DA1-E0C4-4253-9E47-4AB795C1A15C",
"versionEndIncluding": "10.3",
"versionStartIncluding": "9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FED0DB4B-0E65-4419-ACDE-4BE8D4C5AA9A",
"versionEndIncluding": "10.3",
"versionStartIncluding": "9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:*",
"matchCriteriaId": "520CF670-01A2-479F-B637-C413A82463E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules."
}
],
"id": "CVE-2023-33651",
"lastModified": "2025-01-08T17:15:12.777",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-06-06T19:15:12.103",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002925"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002925"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-17 23:15
Modified
2024-12-17 17:15
Severity ?
Summary
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002979 | Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002979 | Mitigation, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sitecore | experience_commerce | * | |
| sitecore | experience_manager | * | |
| sitecore | experience_platform | * | |
| sitecore | managed_cloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E155DDF-A874-41BC-879A-51F3081E522B",
"versionEndIncluding": "10.3",
"versionStartIncluding": "8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "654EF83E-0D73-4476-B410-7979FD05A193",
"versionEndIncluding": "10.3",
"versionStartIncluding": "8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86314BB1-3F0A-4286-BA5B-26DB415BF4B2",
"versionEndIncluding": "10.3",
"versionStartIncluding": "8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:managed_cloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED6CF6F0-FB89-452D-B213-E8C5F6F60725",
"versionEndIncluding": "10.3",
"versionStartIncluding": "8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3."
}
],
"id": "CVE-2023-35813",
"lastModified": "2024-12-17T17:15:08.117",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-17T23:15:09.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002979"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002979"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
cve-2023-33651
Vulnerability from cvelistv5
Published
2023-06-06 00:00
Modified
2025-01-08 16:14
Severity ?
EPSS score ?
Summary
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:47:06.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002925"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-33651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T16:12:41.707251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T16:14:58.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-06T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
},
{
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002925"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-33651",
"datePublished": "2023-06-06T00:00:00",
"dateReserved": "2023-05-22T00:00:00",
"dateUpdated": "2025-01-08T16:14:58.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35813
Vulnerability from cvelistv5
Published
2023-06-17 00:00
Modified
2024-12-17 16:20
Severity ?
EPSS score ?
Summary
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002979"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T16:19:13.632398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T16:20:49.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-17T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1002979"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35813",
"datePublished": "2023-06-17T00:00:00",
"dateReserved": "2023-06-17T00:00:00",
"dateUpdated": "2024-12-17T16:20:49.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}